#Reset Password: Email is sent even though the user is not registered
astral falcon
placid tide
I'm going to guess the intended purpose is not to reveal if the email was valid or not
The same kind of reason why when you login to a login form, on the server if the password fails, you dont want to respond "wrong password", because then they know that the email exists but wrong password
astral falcon
Can we customize this to a message
or can we customize this to check if the user exists
vast orchid
thisisnotchris is correct, it will be for security.
Anywhere that an attacker could attempt to learn whether a username/email is valid/registered needs to respond with generic messages.
A good resource for this sort of thing can be found on the OWASP website - https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html
It should not actually send an email to users that don't appear in the system though. That would just be silly.
placid tide
My guess is that it doesn't send the emails, but the message relayed was confusing to them
vast orchid
99% of all "forgot password" processes that use sending an email link to let you reset your password will use very similar wording. Most will indicate success regardless of whether the email exists or not.
The problem is that the message isn't the only thing an attacker can check to see if the user exists. They can test how long it takes the system to show the message and use differences in timing to guess more accurately whether a user exists. For this reason most systems will not only show the exact same message regardless of the user's existence but will also not even wait for the check to happen before showing the success message.
They will "fire and forget" a request to send a password reset for the email entered, then immediately show the message without waiting for the result. This means that the timing will be the same for any email address entered regardless of it's existence in the system.